What Is the Attack Scenario Described in “How to Think About Security”?
According to recent IT employment surveys, certification studies, and polls of IT professionals, system and network security are shaping up as "the" core competencies worthy of cultivation. To help you explore this fascinating field, and appreciate its breadth and depth, Ed Tittel has put together a collection of two articles that together cover information security (or infosec, as it's sometimes called) as completely as possible. All the books in here are worth owning — though you may not need to acquire all books on identical or related topics from these lists. Together this compilation documents the best-loved and respected titles in this field. This is the first of two parts, so be sure to check out its successor story as well.
After choosing a target bank, high-tech robbers can “case the joint”—gather information that will assist the actual theft—by simply aiming a browser at the bank’s Web site and clicking on the “establish a new account” link. Creating an account (preferably under a false identity) lets us play around with the target site and gives us access to the pages that legitimate customers use to learn how the site is put together. It’s the equivalent of walking around a brick-and-mortar bank to assess the vault placement, security camera positions, and security guard routines. Better yet, we’re not stuck with a particular physical location. Casing multiple banks out in the real world is time-consuming and puts your face on camera. Casing banks online is pretty easy, on the other hand, and if bank A doesn’t look promising, bank B is just a few clicks away. We might get lucky and find obvious weaknesses at our target site, but even if we assume the developers did their job and didn’t leave us any SQL-injection or XSS vulnerabilities, we’re still likely to get some very useful information. For example, the bank gives us an account number and informs us that we need to set up our preferred authentication method. In addition to personal identification numbers (PINs), modern systems often add extra information, such as a randomly selected personal question on predetermined topics such as your pet’s name.
Intruders are always looking out for new ways to gain access to resources such as computer systems or personal information, which they can use maliciously for personal gain. Sometime attackers get their chance due to weaknesses found in people (Egan, 2008). These could be because behaviors due to trust or ignorance but could also be through simpler persuasion or manipulation. It is generally much easier to trick a person then it is to trick a complex computer. Social engineering across information technology networks is a fairly new idea. With all new ideas come new questions. The questions raised in this dissertation only scratch the surface of what is out there and contributes to some of the major holes identified in Chapter 3. This dissertation contributes to four major aspects of social engineering: The history, the anatomy of an ITSE attack, the definition of ITSE, and examples of ITSE. Social engineering is an attack against the vulnerability people present within the security ideal. As long as people continue to be involved with computers, people will be a weakness that must be considered and factored into all security decisions. My dream is that one day, a patch will be developed to prevent people from being such a large vulnerability (Deichmann, 1996).
Usually, although the first draft of this article appeared in 2003, recent IT employment surveys, certification studies, and polls of IT professionals and system and network security continue to represent core technical competencies worthy of cultivation. To help you explore this fascinating field and appreciate its breadth and depth, Ed Tittel has put together a pair of articles that together cover information security (or InfoSec, as it's sometimes called) books as completely as possible. All the books in here are worth owning—though you may not need to acquire all books on identical or related topics from these lists. Together this compilation documents the best-loved and respected titles in the field.
Deichmann, Ute. Biologists Under Hitler. Cambridge: Harvard U. P. 1996.
Egan, M. September 25, 2008. 120 Idiots Give Up Password for £5 M&S Voucher. June 10, 2009
Erickson, Milton. “Two-Level Communication and the Microdynamics of Trance and Suggestion.” The American Journal of Clinical Hypnosis. 1976.
Evans, Richard. The Third Reich in Power. New York: Penguin 2005.